TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

APT27 (まとめ)

概要

【要点】

◎中国のサイバー攻撃組織(APT攻撃)。


【辞書】

◆Emissary Panda (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/emissary_panda

◆LuckyMouse (Malpedia)
https://malpedia.caad.fkie.fraunhofer.de/actor/luckymouse


【概要】

■組織名

攻撃組織名 命名組織
APT27 FireEye
Emissary Panda CrowdStrike, NCC Group
Bronze Union SecureWorks
TG-3390 SecureWorks
ZipToken
ARCHERFISH
Iron Tiger
Group 35 Cisco
TEMP.Hippo
LuckyMouse Kaspersky
Threat Group-3390
HIPPOTeam


■関係国

  • 中国

記事


【ニュース】

◆Threat Group 3390 Cyberespionage (Secureworks, 2015/08/05)
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
http://malware-log.hatenablog.com/entry/2015/08/05/000000_3

◆LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities (ZDNet, 2018/09/10)
https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/
http://malware-log.hatenablog.com/entry/2018/09/10/000000_5

◆Kaspersky Lab、サイバー犯罪組織「LuckyMouse」が盗んだ正規のデジタル証明書でマルウェアに署名し、攻撃に利用していることを確認 (産経新聞, 2018/09/18 14:44)
http://www.sankei.com/economy/news/180918/prl1809180243-n1.html
http://malware-log.hatenablog.com/entry/2018/09/18/185335

◆RSAC 2019: Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks (ThreatPost, 2019/02/27)
https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/
http://malware-log.hatenablog.com/entry/2019/02/27/000000_4

◆少数ながら、APTグループ「Emmissary Panda」に類似した攻撃を検知(ラック)(NetSecurity, 2019/12/26 06:06)
https://scan.netsecurity.ne.jp/article/2019/12/26/43462.html
https://malware-log.hatenablog.com/entry/2019/12/26/000000_8


【ブログ】

◆ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? (ThreatConnect, 2016/10/17)
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/

◆BRONZE UNION Cyberespionage Persists Despite Disclosures (SecureWorks, 2017/06/27)
https://www.secureworks.com/research/bronze-union

◆Decoding network data from a Gh0st RAT variant (nccgroup, 2018/04/17)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/

◆LuckyMouse hits national data center to organize country-level waterholing campaign (Kaspersky, 2018/06/13 10:00)
https://securelist.com/luckymouse-hits-national-data-center/86083/
http://malware-log.hatenablog.com/entry/2018/06/13/000000_2

◆Emissary Panda – A potential new malicious tool Introduction (nccgroup, 2018/05/18)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
http://malware-log.hatenablog.com/archive/2018/05/18

◆Chinese Hackers Carried Out Country-Level Watering Hole Attack (The Hacker News, 2018/06/14)
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

◆Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes” (Ars Technica, 2015/08/06 04:00)

Emissary Panda group penetrated the networks of industrial espionage targets.

https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

◆LuckyMouse Group is back and using a legitimate certificate to sign malware (Kaspersky, 2018/09/10)
https://www.kaspersky.com/about/press-releases/2018_luckymouse-group-is-back-and-using-a-legitimate-certificate-to-sign-malware
http://malware-log.hatenablog.com/entry/2018/09/10/000000_4


【公開情報】

◆REGIONAL ADVANCED THREAT REPORT:Europe, Middle East and Africa 1H2015 (FireEye, 2015)
https://www.fireeye.com/content/dam/fireeye-www/partners/pdfs/rpt-regional-atr-emea-web-bt.pdf
http://malware-log.hatenablog.com/entry/2015/04/01/000000

【インディケータ情報】

■ハッシュ情報(MD5)

  • 3BEA073FA50B62C561CEDD9619CD8425

■ハッシュ情報(Sha256)

SHA-256 Filename
EE04B324F7E25B59D3412232A79D1878632D6817C3BB49500B214BF19AFA4E2C Mozilla.exe
0BA49FEB7784E6D33D821B36C5C669D09E58B6795ACA3EEBBF104B763B3B3C20 Updateproxy.dll
33B7407E534B46BF8EC06D9F45ECD2D3C7D954340669E94CD7CEDCBAE5BAD2DD Telnet.dll
6160AF383794212B6AD8AB9D6D104BBE7AEFB22410F3AB8EA238F98DABFC48B7 Socks.dll
C63B01C40038CA076072A35913F56D82E32FCEE3567650F3392B5C5DA0004548 Shell.dll
D51EC4ACEAFA971E7ABD0CF4D27539A4212A448268EF1DB285CD9CE9024D6EB3 Session.dll
BD8086DE44E16EFDD380E23E49C4058D956538B01E1AE999B679B6B76B643C7D Screen.dll
B44A9545B697B4D46D5B96862A6F19EA72F89FED279F56309B2F245AC8380BE0 Port.dll
F4DF97108F18654089CFB863F2A45AA41D17A3CE8A44CCCC474F281A20123436 File.dll
D31D38403E039F5938AE8A5297F35EB5343BB9362D08499B1E07FAD3936CE6F7 ConEmu.exe
A591D4D5B8D23FF12E44A301CE5D4D9BF966EBA0FC0068085B4B4EC3CE352963 Noodles.exe
EEBFF21DEF49AF4E85C26523AF2AD659125A07A09DB50AC06BD3746483C89F9D Coal.exe (Malicious executable)
97B9D7E16CD6B78A090E9FA7863BD9A57EA5BBE6AE443FA788603EEE5DA0BFC3 Abg.exe (Malicious executable)
B6C21C26AEF75AD709F6C9CFA84BFA15B7EE709588382CE4BC3544A04BCEB661 23d.exe (Malicious executable)
DB9B9FA9EFA53662EC27F4B74B79E745F54B6C30C547A4E5BD2754E9F635F6DB 89d.exe (Malicious executable)


■IPアドレス(C&C)

  • 23.227.207.137
  • 89.249.65.194


■ファイル

  • C:\ProgramData\HIDMgr
  • C:\ProgramData\Rascon
  • C:\ProgramData\TrkSvr


■サービス

  • HIDMgr
  • RasconMan
  • TrkSvr


■レジストリ

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(以上は nccgroupの情報。 引用元は https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/)



■マルウェア情報

MD5 3bea073fa50b62c561cedd9619cd8425
SHA1 ae917a61cb01df3906472b3140193c1ef62f8d75
SHA256 df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db
SHA512
SSDEEP 768:8kTUqTrSxd1WaNmN+NoF4P2MBL/enc8RGIcA2YvrK3gHLXokP:LwqCd1dINmEYYBGIcA2UK3Mok
authentihash 8e313f41dc7e65a09f3b2b944cdc53276e01988e85834bb3053d23b9d7eb5013
imphash e62620335bb00fe44ca7fe6a8bd55a4b
File Size 86016 bytes
File Type Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit)
コンパイル日時 2015-06-30 10:29:41
Debug Path
File Name
File Path
生成ファイル
特徴
参考情報 https://www.virustotal.com/ja/file/df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db/analysis/

◆ハッシュ情報(MD5)

  • 22CBE2B0F1EF3F2B18B4C5AED6D7BB79
  • 0D0320878946A73749111E6C94BF1525
  • ac337bd5f6f18b8fe009e45d65a2b09b
  • 04dece2662f648f619d9c0377a7ba7c0

◆FQDN

  • bbs.sonypsps[.]com
  • update.iaacstudio[.]com
  • wh0am1.itbaydns[.]com
  • google-updata[.]tk
  • windows-updata[.]tk

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020